Enable SSO login for Flux webUI

Mihai Zahariarequested to merge
flux-sso into main

Closes #142 (closed)

This MR enables SSO OIDC login via Keycloak for the flux-webui Weave GitOps unit, work done mostly by @mihai.zaharia.
Notable mentiones:

  • if KeycloakClient.spec.client.secret param is not provided to the keycloak-operator CR, then a random value (32 characters long alphanumeric) is set for an automatically created -n keycloak Secret/keycloak-client-secret-<KeycloakClient.spec.client.clientId>-client field .data.CLIENT_SECRET. This data needs to match the flux-webui side secret -n flux-system Secret/oidc-auth contents of field .data.clientSecret;
  • it needed to introduce External Secrets Operator (first defined in !287 (merged)) and its Kubernetes provider to read the -n keycloak Secret/keycloak-client-secret-flux-webui-client contents from inside management cluster etcd in order to generate by ESO the -n flux-system Secret/oidc-auth;
  • ESO is made aware of only the secrets in keycloak namespace, going for least priviledge, by specific RBAC (in eso-store unit) attached to the ServiceAccount used by the ClusterSecretStore (an interface with the namespace keycloak secrets that can be accessed by ExternalSecret resources from multiple namespace - here found as necessary to be flux-system for creating the flux-webui OIDC secret, but also cattle-global-data for Rancher's OIDC secret -n cattle-global-data Secret/keycloakoidcconfig-clientsecret as targeted by !367 (merged), if this approach is found good and code is merged);
  • the k8s Secret created by ESO will be in the same namespace as the generator ExternalSecret resources;
  • have tried to have the KeycloakRealmImport CR enhanced for a client scope named "groups", but that overrides the default options and for now there's no useful declarative way to have this created to my knowledge, that is why we need to add it with a curl later, via a kube-job keycloak-add-client-scope. With the current script and dependencies, there's a single job pod iteration needed:
/builds/sylva-projects/sylva-core # kubectl --kubeconfig management-cluster-kubeconfig get pod -l job-name=keycloak-add-
client-scope
NAME                              READY   STATUS      RESTARTS   AGE
keycloak-add-client-scope-xxt2r   0/1     Completed   0          34m
/builds/sylva-projects/sylva-core #

Issue #289 (closed) was raised to try replace this kube-job with keycloak-operator CRs.

  • specific Flux health checks was added for the Keycloak side OIDC Secret generated by KeycloakClient CR for flux-webui. This comes handy for situations where keycloak-operator is not quick enough to create the Secret resources and ESO (its ExternalSecret CR) tries to read them, sees them missing and generates the target (client side OIDC) Secret with an empty content for the specific literal. You'd then need to sync the ExternalSecret, once the -n keycloak Secret/keycloak-client-secret-flux-webui-client exists and by default we have ExternalSecret sync interval set to 1h. It wouldn't be enough to sync though, because flux-webui HR would have already deployed the app pod with the contents of the initial -n flux-system Secret/oidc-auth secret, so a pod restart would also be needed.
        - apiVersion: v1
          kind: Secret
          name: keycloak-client-secret-flux-webui-client
          namespace: keycloak


A follow-up for this flux-webui SSO feature is needed over #233 (closed).

Edited by Thomas Morin

Merge request reports